Please enable JavaScript.
Coggle requires JavaScript to display documents.
Day 15 – Intrusion Prevention System (IPS) - Coggle Diagram
Day 15 – Intrusion Prevention System (IPS)
IPS Overview
What is IPS
Detects and prevents network attacks
Protects against exploits and vulnerabilities
Key Functions
Detects malicious activity
Prevents network exploits
Protects network resources
Reduces system vulnerability
How IPS Works
Traffic analysis, signature matching, behavioral analysis, response action
IPS Components
IPS Signature Databases
Contains signatures of known attacks and exploits
Regularly updated through FortiGuard
Protocol Decoders
Understands different network protocols (HTTP, FTP, DNS)
Allows IPS to analyze traffic for specific protocol-related attacks
IPS Engine
Matches traffic against the signature database
Processes incoming traffic and applies decoders
IPS Sensors
What are IPS Sensors
Collection of signatures and filters to monitor network traffic
Key Features
Signatures (attack patterns)
Filters (traffic rules)
Severity levels (priority of the attack)
How IPS Sensors Work
Continuously monitor traffic for attacks
Classify and take action based on severity level
Action Types
Block
Prevents malicious traffic from reaching its destination
Reset
Resets the connection associated with malicious traffic
Monitor
Logs the traffic without blocking, allowing for review
Quarantine
Isolates malicious activity for further investigation
Blocking Malicious URLs/Command and Control (C2) Traffic
What is C2 Traffic
Communication between compromised systems (botnets) and attack servers
How IPS Blocks C2 Traffic
Block domains or IP addresses associated with C2 servers
Monitor traffic patterns for unusual C2 behaviors
Importance of Blocking C2 Traffic
Prevents malware spread
Stops data exfiltration
Mitigates further attacks from infected devices
Vulnerability Types
SQL Injection
Exploits database vulnerabilities to execute arbitrary SQL commands
Prevents unauthorized access to databases
Cross-Site Scripting (XSS)
Injects malicious scripts into web applications to steal data or manipulate content
Buffer Overflow
Causes applications to overwrite memory, potentially executing malicious code
Path Traversal
Allows attackers to access files and directories outside the intended directory
Code Injection
Injects malicious code into vulnerable applications or services
Monitoring IPS Logs and Security Dashboard
IPS Logs
Records events detected by IPS
Shows the type of attack, response actions, and severity levels
Use of Logs
Review detected attacks, analyze actions taken, and troubleshoot issues
Security Dashboard
Real-time overview of IPS activity
Shows statistics like attack types, severity, and blocked attempts
Helps prioritize response based on active threats